01/16/2007 12:39 9734676589 



HENRY BRENDZEL 



PAGE 



Iloglu 2003-0125 
IN THE CLAIMS: 

L (Currently Amended) An arrangement comprising a network adapted to 
allow systems to connect to the network via edge routers of the network (11-15), and 
further adapted to assign at least some of said systems to specified VPNs, which network 
includes collection of modules that includes one or more devices that operate to not 
enable operates to insur e tha t systems A and B of said systems that are each assigned to 
one or more VPNs but which have no commonly assigned VPN cannot establish a 
connection to communicate with each other, characterized bv th e improvement 
compri s ing : 

a controller (1 1 0-200) that (1) detects an identified application, executed iri_an 
element of said arrangement, which calls for communication between system A and 
system B, and (2) authorizes such communication when said identified application is 
included in a set of one or more allowed applications, by directing said collection of 
elements to modify itself to enable said establishing a connection oommunioatio tt 
between system A and system B. 

2. (Previously Presented) The arrangement of claiml where said element of 
said arrangement is system A 

3. (Previously Presented) The arrangement of claiml where said element of 
said arrangement is system B. 

4. (Currently Amended) The arrangement of clam 1 where said collection of 
modules comprises said edge routers, 

5. (Currently Amended) The arrangement of claim 1 where said collection of 
modules comprises VPN routing and forwarding tables, one within each of said edge 
routers. 

6. (Previously Presented) The arrangement of claim 1 where said network is an 
MPLS network. 
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7. (Currently Amended) The arrangement of claim 6 where said collection of 
modules^coinprises VPN routing and forwarding tables, one within each of edge routers 
of said network, and said controller directs an edge router of said edge routers though 
which system A is connected to said network to modify its routing and forwarding table, 
and directs an edge router of said edge routers though which system B is connected to 
said network to modify its routing and forwarding table. 

8. (Previously Presented) The arrangement of claim 1 where said identified 
application is voice over IP and voice over IP is one of said allowed applications. 

9. (Previously Presented) The arrangement of claim 1 where said identified 
application is video over IP and video over IP is one of said allowed applications. 

10. (Previously Presented) The arrangement of claim 1 where said controller 
comprises a route server and a call control element. 

H. (Currently Amended) The method of claim 21 where the step of directing 
said collection o f modules to allow said communication comprises: A m e thod e xooutod in 
an arrangement including a network that oupporto assigning syotomo to sp e cifi e d VPNs, 
w hich syst e ms oonn e ct to edg e routorg of th e n e twork, which n e twork includ e s collection, 
comprising ono or moro devic e s, that operates to insure that s ystems A and B of said 
ayotoms that arc oaoh assigned to one or more VPNs but wfaioh have no commonly 
assigned VPN cannot communicate with e ach other, comprising the stops of: 

~ receiving a m e ssage from ah application of a typ e for which inter VPN 

communication is allow e d, indicating a dosiro to establish communication between said 
systems A and D; 

directing said collection of modules to install a modification having whose effect 
is to allow communication between said systems A and B; and 

directing said collection of modules to remove said modification at a later time to 
reinstate prohibition against communication between said systems A and B, 
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12. (Previously Presented) The method of claim U where said application is- 
voice over Internet or video over Internet. 

13. (Currently Amended) The method of claim 12 where said directing said 
collection of modules t o remove said modification occurs substantially 
contemporaneously with termination of said voice over Internet or video over Internet 
communication. 

14. (Currently Amended) The method of claim 11 where said directing said 
collection of modules to install a modification comprises the steps of: 

installing a first entry X in a table of an element thai of said collectio n of modules 
that is charged with blocking traffic so that that no traffic is carried from[[,]] system A 
tern to_a system that is assigned to a VPN to which system A is not assigned, which 
entry nullifies said blocking relative to system B, and 

installing a second entry ¥ in a table of an element that of said collection of 
modules that is charged with blocking traffic so that that no traffic is carried from[[,]] 
system B from a system that is assigned to a VPN to which system B is not assigned, 
which entry nullifies said blocking relative to system A. 

1 5. (Currently Amended) The method of claim 14 where 

the first entry X includes a criterion that nullifies said blocking only relative to 
traffic pertaining to said application, and 

the second entry X includes a criterion that nullifies said blocking only relative to 
traffic pertaining to said application. 

16. (Currently Amended) The method of claim 11 where said collection of 
modules is said edge routers of the network. 

17. (Currently Amended) The method of claim 11 where said directing said 
collectio n_of modules t o install a modification comprises a step of installing a entry in a 
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VPN route and forward (VRF) table that is associated with edge router A of said edge 
routes through which said system A is coupled to said network, and installing an entry in 
a VRF table that is associated with edge router B of said edge routes through which said 
system B is coupled to said network, 

18. (Previously Presented) The method of claim 17 where said entry that is 
installed in said VRF associated with said edge router A comprises an indication that 
system B belongs to a VPN to which system A belongs, and said entry that is installed in 
said VRF associated with said edge router B comprises an indication that system A 
belongs to a VPN to which system B belongs, 

19. (Previously Presented) The method of claim 18 where said entry that is 
installed in said VRF associated with said edge router A further comprises a route 
indication for reaching system B, and said entry that is installed in said VRF associated 
with said edge router B further comprises a route indication for reaching system A. 

20. (Previously Presented) The method of claim 18 where said entry that is 
installed in said VRF associated with said edge router A further comprises a route 
criterion for limiting traffic that is destined to system B solely to traffic that pertains to 
said application. 

21. (Currently Amended) A method executed in an arrangement including a 
network that supports assigning systems to specified VPNs, which systems connect to 
edge routers of the network, which network includes collection of modules, comprising 
one or more devices, that operates to insure that systems A and B of said systems that are 
each assigned to one or more VPNs but which have no commonly assigned VPN cannot 
are disallowed to communicate with each other, characterized bv comprioing the steps of: 

receiving a message (304) from a indicating a desire to establish communication 
between said systems A and B pursuant to an identified application; 
determining whether to authorize said communication; and 
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when said step of determining proris concludes that such communication ought 
to be permitted , directing (313,314) said collection of modules to allow said 
communication* 
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